RE: New worm? 'readme.eml'

From: Patrick S. Harper (patrick@internetsecurityguru.com)
Date: 09/20/01

• Previous message: Guy Fighel: "RE: New worm? 'readme.eml'"
• In reply to: Guy Fighel: "RE: New worm? 'readme.eml'"
• Next in thread: Stefan Norberg: "RE: New worm? 'readme.eml'"
• Reply: Stefan Norberg: "RE: New worm? 'readme.eml'"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Patrick S. Harper" <patrick@internetsecurityguru.com>
To: "'Guy Fighel'" <GuyF@xpert.com>, "'Duane Waddle'" <waddle1@us.ibm.com>, "'McCammon, Keith'" <Keith.McCammon@eadvancemed.com>
Subject: RE: New worm? 'readme.eml'
Date: Thu, 20 Sep 2001 09:48:49 -0500
Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAKo5hLJgV8kCGKdQJU7J+GMKAAAAQAAAAN1/k00dR5kODgOOyeVbPlQEAAAAA@internetsecurityguru.com>

Here is an easy way to do that. It is an excerpt from one of my
hardening scripts. I rerun this after every patch and hot fix.

Hope it helps

echo Move and ACL Critical Files
md c:\tools
pathman /as c:\tools
path=%path%;c:\tools
pause
if exist c:\winnt\system32\xcopy.exe move c:\winnt\system32\xcopy.exe
c:\tools
if exist c:\winnt\system32\arp.exe move c:\winnt\system32\arp.exe
c:\tools
if exist c:\winnt\system32\posix.exe move c:\winnt\system32\posix.exe
c:\tools
if exist c:\winnt\system32\cacls.exe move c:\winnt\system32\cacls.exe
c:\tools
if exist c:\winnt\system32\debug.exe move c:\winnt\system32\debug.exe
c:\tools
if exist c:\winnt\system32\nslookup.exe move
c:\winnt\system32\nslookup.exe c:\tools
if exist c:\winnt\system32\wscript.exe move
c:\winnt\system32\wscript.exe c:\tools
if exist c:\winnt\system32\edlin.exe move c:\winnt\system32\edlin.exe
c:\tools
if exist c:\winnt\system32\rsh.exe move c:\winnt\system32\rsh.exe
c:\tools
if exist c:\winnt\system32\ipconfig.exe move
c:\winnt\system32\ipconfig.exe c:\tools
if exist c:\winnt\system32\regedt32.exe move
c:\winnt\system32\regedt32.exe c:\tools
if exist c:\winnt\system32\rexec.exe move c:\winnt\system32\rexec.exe
c:\tools
if exist c:\winnt\system32\cscript.exe move
c:\winnt\system32\cscript.exe c:\tools
if exist c:\winnt\system32\ping.exe move c:\winnt\system32\ping.exe
c:\tools
if exist c:\winnt\system32\rcp.exe move c:\winnt\system32\rcp.exe
c:\tools
if exist c:\winnt\system32\regedit.exe move c:\winnt\regedit.exe
c:\tools
if exist c:\winnt\system32\cmd.exe move c:\winnt\system32\cmd.exe
c:\tools
if exist c:\winnt\system32\net.exe move c:\winnt\system32\net.exe
c:\tools
if exist c:\winnt\system32\route.exe move c:\winnt\system32\route.exe
c:\tools
if exist c:\winnt\system32\qbasic.exe move c:\winnt\system32\qbasic.exe
c:\tools
if exist c:\winnt\system32\secfixup.exe move
c:\winnt\system32\secfixup.exe c:\tools
if exist c:\winnt\system32\edit.com move c:\winnt\system32\edit.com
c:\tools
if exist c:\winnt\system32\ftp.exe move c:\winnt\system32\ftp.exe
c:\tools
if exist c:\winnt\system32\at.exe move c:\winnt\system32\at.exe c:\tools
if exist c:\winnt\system32\runonce.exe move
c:\winnt\system32\runonce.exe c:\tools
if exist c:\winnt\system32\nbtstat.exe move
c:\winnt\system32\nbtstat.exe c:\tools
if exist c:\winnt\system32\netstat.exe move
c:\winnt\system32\netstat.exe c:\tools
if exist c:\winnt\system32\telnet.exe move c:\winnt\system32\telnet.exe
c:\tools
if exist c:\winnt\system32\finger.exe move c:\winnt\system32\finger.exe
c:\tools
if exist c:\winnt\system32\syskey.exe move c:\winnt\system32\syskey.exe
c:\tools
if exist c:\winnt\system32\tracert.exe move
c:\winnt\system32\tracert.exe c:\tools
pause
net share tools$=c:\tools /y
cacls c:\tools /e /p administrators:f > nul
cacls c:\tools /e /p "creator owner":f > nul
cacls c:\tools /e /p "backup operators":f > nul
cacls c:\tools /e /p system:f > nul
cacls c:\tools /e /r everyone > nul

-----Original Message-----
From: Guy Fighel [mailto:GuyF@xpert.com]
Sent: Thursday, September 20, 2001 1:05 AM
To: 'Duane Waddle'; McCammon, Keith
Cc: focus-ids@securityfocus.com; focus-ms@securityfocus.com;
forensics@securityfocus.com; JKruser; Pedro Miller Rabinovitch; 'Ferris,
Thomas M'
Subject: RE: New worm? 'readme.eml'

Following is the full files list:

xcopy.exe, wscript.exe, cscript.exe, net.exe, ftp.exe, telnet.exe,
arp.exe, edlin.exe, ping.exe, route.exe, at.exe, finger.exe, posix.exe,
rsh.exe atsvc.exe qbasic.exe runonce.exe syskey.exe cacls.exe
ipconfig.exe, rcp.exe, secfixup.exe, nbtstat.exe, rdisk.exe, debug.exe,
regedt32.exe, regedit.exe, edit.com, netstat.exe, tracert.exe,
nslookup.exe, rexec.exe, cmd.exe, nslookup.exe, tftp.exe, command.com.

The worm doesn't use all of the above files but I think those files
should be protected anyway...

Guy.

-----Original Message-----
From: Duane Waddle [mailto:waddle1@us.ibm.com]
Sent: Wednesday, September 19, 2001 4:38 PM
To: McCammon, Keith
Cc: focus-ids@securityfocus.com; focus-ms@securityfocus.com;
forensics@securityfocus.com; JKruser; Pedro Miller Rabinovitch; 'Ferris,
Thomas M'
Subject: RE: New worm? 'readme.eml'

Another handy trick is to take cmd.exe, tftp.exe, ftp.exe (and a whole
host of others -- does anyone have an authoritative list?) out of
winnt\system32, and put them somewhere else, like c:\foo\bar, and ACL
the snot out of it, without using the local 'administrators' group.
Make a group, called 'bob' for instance, and put your local admin
acct(s), and any one else who should have to have access to these (on a
webserver, that should be a short list). This way the 'LocalSystem'
account does not have access to these tools - if it even finds them in
the 1st place.

Hope this helps.

--D

Duane Waddle
waddle1@us.ibm.com
"With sufficient thrust, pigs fly just fine..." -- RFC1925

 

                    "McCammon, Keith"

                    <Keith.McCammon@eadvan To: "'Ferris,
Thomas
M'" <Thomas.Ferris@nmci-isf.com>,
                    cemed.com> JKruser
<jkruser@adelphia.net>, Pedro Miller Rabinovitch
                                                  <pedro@cipher.com.br>,
forensics@securityfocus.com
                    09/18/01 04:33 PM cc:
focus-ms@securityfocus.com,
 
focus-ids@securityfocus.com
                                                 Subject: RE: New
worm?
'readme.eml'
 

 

 

There are a few things that you can do to mitigate risk:

1) Patch. Then patch again. This will keep out most of the nasties
most of the time.

2) Configure your firewall to inspect http if possible and drop on
common strings such as */cmd.exe*, *root.exe*, *.dll*, etc. This keeps
most of the known and surely nasties away from your web server.

3) Ensure that router ACLs and firewall rules are configured correctly
to drop un-established requests from your web servers to the internet.
In the event that numbers one and two both fail (not very likely in a
case like this), your server will be hosed, but at least you won't
pollute the rest of the world with the worm.

Hardly comprehensive, but it's a start!

Keith

-----Original Message-----
From: Ferris, Thomas M [mailto:Thomas.Ferris@nmci-isf.com]
Sent: Tuesday, September 18, 2001 1:52 PM
To: JKruser; Pedro Miller Rabinovitch; forensics@securityfocus.com
Cc: focus-ms@securityfocus.com; focus-ids@securityfocus.com
Subject: RE: New worm? 'readme.eml'

What would be a good solution for this, or is there an exact plan of
attack to defend against this?

Thanks in Advance.

================
Thomas M. Ferris
IA - Incident Response
NMCI San Diego NOC
================

-----Original Message-----
From: JKruser [mailto:jkruser@adelphia.net]
Sent: Tuesday, September 18, 2001 10:07
To: Pedro Miller Rabinovitch; forensics@securityfocus.com
Cc: focus-ms@securityfocus.com; focus-ids@securityfocus.com
Subject: RE: New worm? 'readme.eml'

I also see a very serious possibility of this work interacting with the
still prevalent sircam virus. Nimda, when it infects, opens share drives
on the infected PC...Sircam will scan for open shares on an internal
network or cable subnet and infect the remote PC without user
interaction. This could effectively increase the spread of sircam
exponentially and, due to the remailing capability of sircam, could shut
down mail servers in a short period of time.

I have not verified this possibility but it sounds feasible.

Claymore
the unprofound

---

• Previous message: Guy Fighel: "RE: New worm? 'readme.eml'"
• In reply to: Guy Fighel: "RE: New worm? 'readme.eml'"
• Next in thread: Stefan Norberg: "RE: New worm? 'readme.eml'"
• Reply: Stefan Norberg: "RE: New worm? 'readme.eml'"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: New worm? readme.eml ... Subject: New worm? ... still prevalent sircam virus. ... Nimda, when it infects, opens share drives ... the infected PC...Sircam will scan for open shares on an internal ... (Focus-IDS) RE: New worm? readme.eml ... Subject: New worm? ... The worm tries to send mail to these mail servers. ... > still prevalent sircam virus. ... Nimda, when it infects, opens share drives ... (Focus-IDS) RE: New worm? readme.eml ... Subject: New worm? ... known and surely nasties away from your web server. ... still prevalent sircam virus. ... Nimda, when it infects, opens share drives ... (Focus-Microsoft) Re: New worm? readme.eml ... The worm tries to send mail to these mail servers. ... > still prevalent sircam virus. ... Nimda, when it infects, opens share drives ... (Focus-IDS) Re: New worm? readme.eml ... The worm tries to send mail to these mail servers. ... > still prevalent sircam virus. ... Nimda, when it infects, opens share drives ... (Focus-Microsoft)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ids  > 2001-09